7/27/2023 LTE Authentication.

Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

LTE Authentication
Sudheesh Singanamalla · Follow
Published in uwcse-ictd
7 min read · Feb 19, 2020

Listen Share

Authentication refers to the idea of validating the identity of a user or a device trying
to access the resources provided by a given service and Authorization helps in
controlling the access to these resources. In the case of LTE and wireless networks,
authentication is used to enable a user device such as a mobile phone or an IoT
device to connect to the network and use the resources provided by the network
such as calling, Internet/data services or messaging services. Authorization is used
to check if the user connected to the network can actually be granted services. For
example:

Authentication: Check if the user device with the SIM card is actually owned by
the network to which it is trying to connect to

Authorization: Check if the user has sufficient credit balance to access the data
services at 1 MBps.

So how does this really happen in LTE Networks?

LTE networks use the Evolved Packet System Authentication and Key Agreement
(EPS-AKA) procedure for bidirectionally authenticating the user i.e. authenticating
the user to the network and the network to the user.

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 1/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Let’s break this image down into the parts that we really need. Each USIM card
produced by the network operator contains a cryptographic key, Ki,which is also
known to the network operator and stored in the HSS. To authenticate, this key is
used to:

1. Have the UE authenticate the network: Why? This is to prove that the UE is
indeed speaking to the network to which it is supposed to be talking to in the
first place

2. Have the network authenticate the UE: Why? This is to ensure that the UE who
has actually paid for the network service and belongs to the network is the one
who receives access to it.

Protocol Call Flow for Authentication

Attach Request
In order to join the network, the UE firstly sends an attach request to the MME via
the eNB (base station) with the corresponding PLMN Identity, Mobile Country Code
(MCC), Mobile Network Code (MNC) and a cell ID. The MME sends a back a
response to the UE requesting for an IMSI. This message is known as an Identity
Request and is sent as a Downlink NAS Transport message. The uplink NAS message

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 2/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

from the UE is an Identity Response which contains the mobile identity (IMSI) value
thereby completing the Attach request phase of the protocol.
Authentication Information Request and Response
After receiving the Identity Response, The MME sends a diameter (S6a) message
called Authentication Information Request (AIR) from the MME to the HSS
Open in app and
Sign up sends
Sign In
the corresponding mobile identity. The HSS on receiving this information computes
is responsible for:

1. Checking if the subscriber corresponding to the IMSI value is a genuine

subscriber belonging to the network.

2. Performing the necessary cryptographic operations to generate an

authentication vector (AV) necessary to challenge the UE for authentication.

The response from the HSS to the MME i.e. Authentication Information Answer (AIA)
contains the authentication information which includes a random byte array
denoted by RAND, the expected response from the UE to the MME denoted by
XRES, the authentication response denoted by AUTN, and a shared key called the
Key Access Security Management Entries denoted by Kasme.

So how are these values generated? Let’s dig deeper into the HSS to see what
happens to create this Authentication Information Answer (AIA) response.

Authentication Vector Generation

The HSS contains the LTE key Ki which is the same as the key that’s present on the
USIM of the UE. In addition, the SIM card also contains the network operators key
OPc and an Authentication Management Field (AMF). These are two very critical
secret keys which should be safeguarded by the network operators at any cost.

On receiving the request, the HSS checks for the existence of a database record
corresponding to the subscriber and retrieves the Ki, OPc values. For simplicity
reasons, let us assume that the network operator knows the last used SQN number,
we look into how to obtain this value in a later blog post.

1. The HSS then generates a 16 byte random value and stores it in RAND.

2. The AMF, Ki, SQN and RAND values are fed into the Milenage algorithm which
generates the responses for AUTN, Anonymity Key (AK), Cipher Key (CK),
Integrity Key (IK) and an expected response XRES.

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 3/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

3. Another set of algorithms use the generated AK, CK, IK from the Milenage
algorithm to compute Kasme.
How does Milenage Really work?
Milenage consists of a series of functions denoted by f1, f2, f3, f4, f5 according to
the 3GPP specification. These are also sometimes written in open source cores as f1
and f2345 denoting the execution of each of the functions f2,f3,f4,f5 and collectively
returning a response.

The function f1 takes OPc, Ki, RAND, SQN and AMF values and performs:

1. For each byte of RAND, OPc performs a XOR operation and stores the result into
a temporary value (TMP1).

2. Run AES128 bit encryption on TMP1 using Ki

3. Expand the byte arrays of SQN, AMF to 128 bits i.e. creating `SQN || AMF || SQN ||
AMF` and storing it in TMP2

4. Perform TMP2 xor OPc and rotate it by a constant r1 i.e. 8 bytes (0x40)

5. TMP3 = TMP2 ⊕ OPc with r1 byte rotation

6. xor the value in TMP3 with TMP1

7. AES128 encrypt TMP3 using Key Ki and assign the value to TMP1

8. xor the value in TMP1 with OPc as F1_RES

9. The first 8 bytes of the F1_RES correspond to MAC_A which is a 64 bit network
authentication code.

10. The second 8 bytes of the F1_RES correspond to MAC_S which is a 64 bit
resynchronization authentication code.

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 4/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

11. Return MAC_A, MAC_S as the result of F1.

The function f2345, uses the OPc, Ki, RAND, to generate XRES, CK, IK, AK. The
function has constants r2, r3, r4, and r5 corresponding to the constant of bytes to
rotate the array. In addition there are constants c2, c3, c4, and c5 which are
constants used in different functions. This is done by:

1. Computing RAND xor OPC and storing it in TMP1.

2. AES128 encrypt TMP1 using Ki and store the result in TMP2.

3. Update TMP1 by performing TMP2 xor OPc.

4. Additionally xor the last byte i.e. 15 index, with a constant c1 and rotate by r2=0

5. TMP1 = TMP2 ⊕ OPc

6. TMP1[15] = TMP1[15] ⊕ 1 where c1 is a constant with value 1

7. AES128 encrypt TMP1 using key Ki and store the result in TMP3

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 5/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

8. Perform TMP3 = TMP3 ⊕ OPc

9. The result of f5 is the first 6 bytes of TMP3 i.e. TMP3 bytes 0–5 which is AK

10. The result of f2 is the last 8 bytes of TMP3 i.e. TMP3 bytes 8–15 which is XRES

11. Perform TMP2 xor OPc and assign the result to TMP1 with r3 = 4 bytes

12. TMP1 = TMP2 ⊕ OPc with r3 byte rotation

13. xor the last byte of TMP1 with a constant c3 = 2

14. AES128 encrypt TMP1 using key Ki and copy the result into CK

15. For f3, Perform xor of CK with OPc and assign the result to final value of CK

16. Similar to step 6, perform the TMP2 xor OPc and assign the result to TMP1 with
r4=8 bytes and xor with a constant c4=4.

17. TMP1 = TMP2 ⊕ OPc with r4 byte rotation

18. xor the last byte of TMP1 with constant c4=4

19. AES128 encrypt TMP1 using key Ki and copy the result into IK

20. For f4, Perform xor of IK with OPc and assign the result to final value of IK

After computing the MAC_A, MAC_S, AK, IK, CK, and XRES. The AUTN value is
obtained by concatenating the SQN xor AK, with AMF and MAC_A value.

AUTN = (SQN AK) || AMF || MAC_A

Note: The MAC_S value is used in case of synchronization failures of SQN. We will cover
this in a later blog post.

The results of milenage and other information i.e. AUTN, SQN, XRES, CK, IK, AK
along with PLMN are used to compute the Kasme value by doing:

1. k = CK || IK

2. Initialize a 14 byte buffer s

3. Assign the first byte of s as 0x10

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 6/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

4. Copy the 3 bytes of PLMN into s

5. Assign 5th and 6th byte as 0x00 and 0x03

6. Assign the next 6 bytes as SQN ⊕ AK

7. Assign the last two bytes as 0x00 and 0x06

8. Perform an HMAC-SHA256 using Key k from step 1 and s as the message.

9. The corresponding output from this function is the Kasme

The Authentication Information Answer contains the AUTN, RAND, Kasme, XRES
which is sent by the HSS to the MME as a diameter response.

Authentication Request and Response

The MME removes the XRES from the AIA request and packages the the (AUTN,
RAND, Kasme) into an authentication vector and sends an Authentication Request to
the UE. The UE knows the SQN value to use and contains the corresponding Ki, OPc
values in the USIM and executes the Milenage algorithm using the RAND value that
has been provided.

The UE computes a new AUTN value and compares it to the value that has been
provided in an effort to authenticate the network to the UE. Once the UE
successfully validates the network it is communicating with, it generates a RES
which is sent as an Authentication Response to the MME. The MME validates if the
response provided RES matches the expected response XRES and sends a
successful/unsuccessful authentication message to the UE. The UE is now
authenticated and attached to the network.

The UE further computes the Kasme values to compute the necessary AK, CK, IK
keys used for encryption and integrity checks in further communications.

Images from the 3GPP spec ETSI TS 135 205 v 13.0.0 (2016–01) Universal Mobile
Telecommunications System. Specification of the Milenage Algorithm set.

Lte Cryptography Authentication Cellular

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 7/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Follow

Written by Sudheesh Singanamalla

3 Followers · Writer for uwcse-ictd

PhD Student @ UW ICTD

More from Sudheesh Singanamalla and uwcse-ictd

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 8/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Sudheesh Singanamalla in uwcse-ictd

dAuth — Distributed Authentication and use in Roaming contexts

In our research lab we work on small-scale, community-managed cellular networks, which
usually consist of a single base station attached…

7 min read · Feb 14, 2020

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 9/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Sudheesh Singanamalla in uwcse-ictd

Measuring the Adoption of HTTPS by Governments Worldwide

Across the world, government websites are expected to be reliable sources of information,
regardless of their average daily view count…

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 10/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

7 min read · Oct 7, 2020

11

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 11/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Jared Moore in uwcse-ictd

Smartphones and the Future

A focus on smartphones excludes the most marginalized

7 min read · Aug 1, 2018

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 12/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Sarah Oslund in uwcse-ictd

Adapting Websites for Free Basics

Authors: Kevin Te and Sarah Oslund

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 13/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

5 min read · Jun 8, 2018

53

See all from Sudheesh Singanamalla

See all from uwcse-ictd

Recommended from Medium

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 14/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Love Sharma in ByteByteGo System Design Alliance

System Design Blueprint: The Ultimate Guide

Developing a robust, scalable, and efficient system can be daunting. However, understanding
the key concepts and components can make the…

· 9 min read · Apr 21

6.6K 53

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 15/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Jacob Bennett in Level Up Coding

Use Git like a senior engineer

Git is a powerful tool that feels great to use when you know how to use it.

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 16/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

· 4 min read · Nov 15, 2022

7.9K 80

Lists

General Coding Knowledge

20 stories · 104 saves

New_Reading_List
174 stories · 33 saves

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 17/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Unbecoming

10 Seconds That Ended My 20 Year Marriage

It’s August in Northern Virginia, hot and humid. I still haven’t showered from my morning trail
run. I’m wearing my stay-at-home mom…

· 4 min read · Feb 17, 2022

55K 856

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 18/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

The PyCoach in Artificial Corner

You’re Using ChatGPT Wrong! Here’s How to Be Ahead of 99% of

ChatGPT Users
Master ChatGPT by learning prompt engineering.

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 19/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

· 7 min read · Mar 18

29K 523

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 20/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Kristen Walters in Adventures In AI

5 Ways I’m Using AI to Make Money in 2023

These doubled my income last year

· 9 min read · Jul 20

16.8K 270

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 21/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

Zulie Rane in The Startup

If You Want to Be a Creator, Delete All (But Two) Social Media Platforms
In October 2022, during the whole Elon Musk debacle, I finally deleted Twitter from my phone.
Around the same time, I also logged out of…

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 22/23
7/27/2023 LTE Authentication. Delving into the underlying crypto… | by Sudheesh Singanamalla | uwcse-ictd | Medium

· 8 min read · Apr 19

35K 797

See more recommendations

https://medium.com/uw-ictd/lte-authentication-2d0810a061ec 23/23